Role in IT decision-making process:Align Business & IT GoalsCreate IT StrategyDetermine IT NeedsManage Vendor RelationshipsEvaluate/Specify Brands or VendorsOther RoleAuthorize PurchasesNot Involved

Work Phone:

Company:

Company Size:

Industry:

Street Address

City:

Zip/postal code

State/Province:

Country:

Occasionally, we send subscribers special offers from select partners. Would you like to receive these special partner offers via e-mail?YesNo

Your registration with Eweek will include the following free email newsletter(s):News & Views

By submitting your wireless number, you agree that eWEEK, its related properties, and vendor partners providing content you view may contact you using contact center technology. Your consent is not required to view content or use site features.

By clicking on the "Register" button below, I agree that I have carefully read the Terms of Service and the Privacy Policy and I agree to be legally bound by all such terms.

WEBINAR:On-Demand

SAN FRANCISCO—Information sharing—or the lack of sharing—has become a prominent point of contention between private corporations and government agencies. The issue is even more of a problem for critical infrastructure providers, control-system experts said at the RSA Conference.

While there are hubs of activity around security in critical infrastructure, companies tend not to share vulnerability and attack information with each other, a panel of industry and academic experts told attendees. Best practice information on device and network configuration is largely kept in-house, despite the benefits of sharing, said Doug Powell, manager for security, privacy and safety at electric-power generation firm BC Hydro.

"We've had to build our own test environment and test our technology—hack it to find vulnerabilities—before we deployed it," Powell said. "But we, as an industry, don't have a good sharing environment, so what we learn—and what others learn—is not necessarily passed along."

Unlike the United States, information sharing between the Canadian government and critical infrastructure firms does occur because it does not have to surmount the hurdle of data classification. While the United States is working on getting more companies cleared for classified information, the Canadian utilities already have clearance, Powell said.

Further reading

For the past half decade, security researchers have focused on breaking industrial-control systems--such as those that use supervisory control and data acquisition (SCADA) protocols--and finding vulnerabilities. Only recently, with the attack by Stuxnet and the identification of vulnerable networks connected to the Internet, have critical infrastructure owners really focused on the problem, panelists said.

Until recently, for example, electric providers worried about securing their operational technology (OT)—the generation and transmission capabilities—rather than their information technology, Powell said. But in the last two years, the concerns have become completely focused on the information technology that monitors and controls such equipment, Powell said.

While government and critical infrastructure companies used to be able to identify and control the threats to the physical equipment, that is no longer the case. The worry is that "you can manipulate OT to destroy a dam and you can do it halfway around the world," he said.

The danger to SCADA and other operational networks will likely get worse, said Jose Fernandez, assistant professor in the Department of Computer and Software Engineering for Ecole Polytechnique de Montreal. Only a certain few actors would want to hack into power networks and harm critical infrastructure, but with consumer power being monitored and controlled through the smart grid, criminal hackers will likely become more interested in finding ways of breaking into the network and stealing money.

"What I'm worried about is, that with these smart grids, there will be an incentive to hack the network," Fernandez said. "Money makes the world go round--not nuclear weapons (and other forms of massive destruction) but money."

While improving the security of operational devices is important, control systems are updated and modernized very slowly, said Marcelo Branquinho, director of TI Safe's Security Automation Training.

"What they are working on now are the next generation of devices, but many companies are planning to use their devices for the next 20 years," Branquinho said.

In that environment, critical infrastructure providers need to work together to find the best ways to secure their insecure, legacy systems, he said.

By submitting your information, you agree that eweek.com may send you eWEEK offers via email, phone and text message, as well as email offers about other products and services that eWEEK believes may be of interest to you. eWEEK will process your information in accordance with the Quinstreet Privacy Policy.

We ran into a problem

We already have your email address on file. Please use the "Forgot your password?" link to create a password, validate your email and login.